Writing CTF Challenges for Community College CEH course(samples within)

I’m the CTF guy for the community college and I’ve been writing challenges for the college’s courses that can utilize CTF(mostly hacker jeopardy and the challenges here not actual owning) to make the classes more interesting.

What I want to know is if someone knows of a group or community somewhere where I can show challenges and get feedback on whether I need to add hints or if I’m expecting way too much. I wrote the practical final for the forensics course which is how I got this role but one of the biggest things is making sure I don’t make the challenges beyond anything that they can solve.

The college is also might be hosting an event this spring so I’ll have harder challenges there. I’ll be continuing to write challenge generators/challenges in the mean time.

I need to know if there’s some community out there that has guidelines or some guidance as to what I should expect from community college students since I know I’m not the normal student in this area.

I have a large list of challenges I’ve already wrote including generators that I can share to show what I’ve already wrote.

I have literally zero formal training in writing CTF challenges or the like. My primary major isn’t even related to pentesting as this is just a hobby for me.

I guess I need to include a flag to give you guys an idea. Below is the flag called “Really Simple Algorithm - Fake it till you make it”.

The Elemantalists want you to forge a signature on the message “Use hashes to mitigate Blind Signing Attacks”. They have thankfully let you send your message to their signing server to have it signed.
You and your friend already setup a blinded signature now it’s up to you to get the signature on the original message.
You set your random integer r as 211. The server sent you back the information attached.

They want you to give to them a signature on the original message encoded in hex. Just the hex digits without any extra information.

The file they’re given is included below and is named “sign_your_soul_away_here.totally_legit”

Here’s the information you already had.
You sent the server your blinded message M’.

The server replied with the following message.

Your message M’ has been signed and the response S has been given along with your message.



There’s a bonus flag if they can give me what the original message they were encoding was. It’s only worth 15pts but I feel like it’s adequate. The main flag is worth 175pts also if that helps anyone.
That flag is not vulernable to near primes, small e, small d or similar attacks. Also they’re given the hex values instead of having to decode the actual RSA public key because I don’t know if they’d be able to figure out how to do it w/o some serious nudging and I don’t want them to get frustrated and give up.

I should say that they’ll have access to papers like the one attached below in the Canvas Module labeled “Additional Outside Resources”.


It’s what it looks like. It’s a paper on common rsa attacks showing you how to do them by hand and some python code they can copy/paste them.
Canvas for those of you not in school or have people in college is basically the Education CMS system that a lot of school’s use. It breaks up sections of the course into modules and you can link to files etc. So that document and other papers I’ve wrote will be there.

The class I’m talking about is the one that’s targeting CEH’s exam objectives.

I had a similar course at my college, and the most annoying thing was knowing the flag but not the format how it is to be submitted (spaces, caps, …). So thats something you should avoid at all cost.

I think the difficulty depends on the lecture. Also is this more of a live-ctf or more homeworkish?

It’s available for them to do during the set times of the class. It’s a sorta-live CTF.

Also menessim here’s the thing with the flags. I have them setup as regex in CTFd along with the normal flag in a static mode. Basically As long as the string they submit contains the flag I allow it as a solve. So let’s say they have a flag that’s a sha256 hash.


So if the submit


Or if they include a bit of the instructions in it still matches like so.
Let’s say the flag was stated in the following sentence “The flag is d1bc8d3ba4afc7e109612cb73acbdddac052c93025aa1f82942edabb7deb82a1”

is d1bc8d3ba4afc7e109612cb73acbdddac052c93025aa1f82942edabb7deb82a1

will be matched as valid. This way I don’t have to worry about them submitting some of the string and accidentally paste that as the flag. I want to avoid such issues.
The flag above just requires them to submit the hex encoded string of the flag.
If they submit it as uppercase hex, it takes it. If they submit it in the form that python does it (sample value) 0x1337dead8eefL. It’ll still work even though I was asking for 1337dead8eef.

I’m mainly talking about the difficulty of the challenges for them. The one above is a sample of the harder crypto ones I made.

The school might be hosting a live CTF so it’ll be part of a one-day event. Otherwise it’ll be something they work on throughout the 8 weeks of the course. I believe they do CTF challenges for one class period every other week or something like that. Of course there’s nothing stopping them from taking a challenge home to try and finish it then.

None of this stuff is graded also it’s purely for fun and to get them to do things related to the field that they’ll be going into.